I may have missed something, but what happens if you do right=%any?
At that point the rightid becomes irrelevant , doesn't it? Nick
On 08/04/2019 10:33, Paul Wouters
wrote:
On Fri, 5 Apr 2019, Messa, Michael - 0664 - MITLL wrote:
"I still cannot imagine a scenario where
the constraints you mention are a valid set of constraints for
deployment."
I concur. The counter argument I've received is that the PSK
alone is sufficient to anchor the trust between the client and
the server and that the IDr in this case is not consequential.
That might be true, if the PSK is unique and not shared, and the
scenario only works when you have one of these, because if you
have
two of these, then you would end up having to select one PSK and
if the
AUTH fails, retry with the other PSK. So again, that makes
supporting
this a really odd corner case. the obvious solution would be to
agree
on the ID and configure it. Or if the other party refuses that, to
just
see what ID they send and stupidly configure it on your end as the
peer
ID.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
|
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
